On 12/9/11 1:36 PM, /dev/rob0 wrote: > On Friday 09 December 2011 14:23:01 Philip Prindeville wrote: >> On 12/9/11 11:39 AM, Grant wrote: > Philip: >>>> Now whenever you upgrade Squirrelmail to something current, >>>> you can pass your free time trying to figure out how to get >>>> it to do STARTTLS. :-) >>> >>> No need. Squirrelmail connects to 587 on the same host >>> without encryption and its successor could do the same. >> >> My point was that if you can get it to do >> encryption/authentication, you're better off. > > If an attacker is in a position to snoop traffic on the loopback > interface, chances are high that said attacker will also have any > encryption keys that might be used.
Sure, but all sorts of misconfigurations can happen... I recently did an upgrade from Fedora 15 to F16, and my eth0 got renamed p6p1... don't ask me why. All sorts of configs that explicitly knew the interface as eth0 broke. That didn't fail in such a way that loopback traffic was leaking, but that's no reason to abandon defense-in-depth for the truly paranoid.
